VMSA-2020-0020:VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities
23589
17 November 2020
12 September 2020
CLOSED
MEDIUM
3.8-6.7
CVE-2020-3980,CVE-2020-3986,CVE-2020-3987,CVE-2020-3988,CVE-2020-3989,CVE-2020-3990
1. Impacted Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Horizon Client for Windows
2. Introduction
Multiple vulnerabilities in VMware Workstation, Fusion and Horizon Client were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. PATH configuration privilege escalation vulnerability (CVE-2020-3980)
Description
VMware Fusion contains a privilege escalation vulnerability due to the way it allows configuring the system wide path. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.
Known Attack Vectors
An attacker with normal user privileges may exploit this issue to trick an admin user into executing malicious code on the system where Fusion is installed.
Resolution
To remediate CVE-2020-3980 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank Rich Mirch from TeamARES of Critical Start for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 12.x | OS X | CVE-2020-3980 | N/A | N/A | not affected | N/A | N/A |
| Fusion | 11.x | OS X | CVE-2020-3980 | moderate | 11.5.7 | None | None |
3b. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2020-3986, CVE-2020-3987, CVE-2020-3988)
Description
VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in Cortado ThinPrint component. These issues exist in the EMF and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.2.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit these issues to create a partial denial-of-service condition or to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.
Resolution
To remediate CVE-2020-3986 (EMF parser), CVE-2020-3987 (EMR STRETCHDIBITS parser), and CVE-2020-3988 (JPEG2000 parser) apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank KPC of Trend Micro's Zero Day Initiative and pig working with Trend Micro's Zero Day Initiative for reporting these issues to us.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Horizon Client for Windows | 5.x and prior | Windows | CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 | moderate | 5.4.4 | None | None | |
| Workstation | 16.x | Any | CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Linux | CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Windows | CVE-2020-3986, CVE-2020-3987, CVE-2020-3988 | moderate | 15.5.7 | None | None |
3c. Denial-of-service vulnerability via Cortado ThinPrint (CVE-2020-3989)
Description
VMware Workstation and Horizon Client for Windows contain a denial of service vulnerability due to an out-of-bounds write issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit this issue to create a partial denial-of-service condition on the system where Workstation or Horizon Client for Windows is installed.
Resolution
To remediate CVE-2020-3989 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Horizon Client for Windows | 5.x and prior | Windows | CVE-2020-3989 | low | 5.4.4 | None | None | |
| Workstation | 16.x | Any | CVE-2020-3989 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Linux | CVE-2020-3989 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Windows | CVE-2020-3989 | low | 15.5.7 | None | None |
3d. Information disclosure vulnerability via Cortado ThinPrint (CVE-2020-3990)
VMware Workstation and Horizon Client for Windows contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. VMware has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 3.8.
Known Attack Vectors
A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed.
Resolution
To remediate CVE-2020-3990 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Acknowledgements
VMware would like to thank linhlhq of VinCSS (Member of Vingroup) working with Trend Micro's Zero Day Initiative for reporting this issue to us.
Notes
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Horizon Client for Windows | 5.x and prior | Windows | CVE-2020-3990 | low | 5.4.4 | None | None | |
| Workstation | 16.x | Any | CVE-2020-3990 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Linux | CVE-2020-3990 | N/A | N/A | not affected | N/A | N/A |
| Workstation | 15.x | Windows | CVE-2020-3990 | low | 15.5.7 | None | None |
4. References
Fixed Version(s) and Release Notes:
VMware Workstation Pro 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html
VMware Workstation Player 15.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 11.5.7
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
VMware Horizon Client 5.4.4
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0
https://docs.vmware.com/en/VMware-Horizon-Client/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3990
FIRST CVSSv3 Calculator:
CVE-2020-3980 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2020-3986 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3987 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3988 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CVE-2020-3989 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
CVE-2020-3990 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5. Change Log
2020-09-14: VMSA-2020-0020 - Initial security advisory.
2020-11-19: VMSA-2020-0020.1 - Updated security advisory to add Fusion 11.x version in the response matrix of section 3(a) and Workstation 15.x version in the response matrix of section 3(b), 3(c) & 3(d).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.